Safeguard.sh
Ransomware

LockBit 3.0: The Evolution of the World's Most Prolific Ransomware Operation

LockBit 3.0 introduced bug bounties, new extortion tactics, and industrial-scale operations that made it the dominant ransomware group through 2022 and 2023.

Bob
Cybersecurity Writer
6 min read

LockBit has been one of the longest-running and most prolific ransomware operations in history. When version 3.0 (also called LockBit Black) launched in June 2022, it came with something unprecedented in ransomware: a bug bounty program. The group was offering cash rewards to anyone who could find vulnerabilities in their ransomware payload or infrastructure. It was an audacious move that underscored just how professionalized the ransomware ecosystem had become.

By the time LockBit 3.0 was in full swing, the operation was responsible for more ransomware attacks than any other group — accounting for roughly 30-40% of all ransomware incidents in late 2022 and 2023.

From LockBit to LockBit 3.0

The LockBit operation evolved through three major versions:

LockBit 1.0 (September 2019): The original version operated on underground forums, recruiting affiliates through a standard RaaS model. The ransomware was functional but unremarkable.

LockBit 2.0 (June 2021): A major upgrade that introduced faster encryption through a technique called intermittent encryption — encrypting only portions of each file rather than the entire contents. This dramatically increased encryption speed while still rendering files unusable. LockBit 2.0 also added automated network propagation via Group Policy Objects (GPO), allowing the ransomware to spread across Windows domains without manual intervention.

LockBit 3.0 (June 2022): The most sophisticated version, borrowing code elements from the BlackMatter ransomware. LockBit 3.0 added anti-analysis features, a more modular architecture, and the aforementioned bug bounty program.

The Bug Bounty: PR Stunt or Operational Necessity?

LockBit 3.0's bug bounty program offered rewards ranging from $1,000 to $1 million for:

  • Vulnerabilities in the ransomware payload that could enable decryption without the key
  • Bugs in the Tor infrastructure or leak site
  • XSS and SQL injection vulnerabilities in the web panel
  • Identifying the real identity of the affiliate program manager ("LockBitSupp")

The million-dollar bounty for identifying LockBitSupp was almost certainly a PR stunt — the operator wasn't genuinely expecting anyone to collect. But the technical bounties served a real purpose. LockBit's operators understood that law enforcement agencies were actively looking for flaws in their infrastructure (as the FBI had done with BlackCat). A bug bounty was a cost-effective way to identify and fix those flaws before law enforcement could exploit them.

The program also served as marketing. It positioned LockBit as confident and professional, attracting affiliates who wanted to work with an operation that appeared stable and technically competent.

Technical Capabilities

LockBit 3.0 represented the state of the art in ransomware engineering:

Encryption

The payload used a combination of Curve25519 and AES-256 for encryption. Intermittent encryption was refined in version 3.0, with configurable encryption percentages — affiliates could choose to encrypt 4KB, 8KB, or 16KB blocks with gaps between them, trading encryption thoroughness for speed.

Anti-Analysis

LockBit 3.0 introduced several anti-analysis measures:

  • Password-protected execution: The payload required a command-line password to execute, preventing analysis by researchers who obtained samples without the associated password
  • Dynamic API resolution: Windows API calls were resolved at runtime rather than being listed in the import table, complicating static analysis
  • String encryption: All meaningful strings were encrypted and only decrypted during execution
  • Anti-debugging: Multiple techniques detected debugger attachment and virtual machine environments

Propagation

Automated propagation capabilities included:

  • Active Directory enumeration and GPO abuse for domain-wide deployment
  • SMB lateral movement using harvested credentials
  • Print Spooler exploitation for additional propagation paths
  • Wake-on-LAN to power on offline machines before encryption

StealBit

LockBit developed a custom data exfiltration tool called StealBit, designed for speed. StealBit could exfiltrate large volumes of data quickly, supporting the double extortion model by ensuring data theft was completed before ransomware deployment triggered incident response.

The Affiliate Ecosystem

LockBit's affiliate program was the most active in the RaaS ecosystem:

  • Affiliates received 75-80% of ransom payments
  • The operation maintained a reputation system for affiliates
  • New affiliates underwent a vetting process
  • The operation provided infrastructure, the payload, negotiation support, and the leak site

LockBit's success attracted affiliates from multiple disbanded operations, including former Conti, REvil, and BlackMatter operators. This cross-pollination of talent meant LockBit affiliates brought diverse intrusion techniques and established access to victim networks.

Victim Impact

Between June 2022 and early 2024, LockBit claimed responsibility for over 2,000 attacks. High-profile victims included:

  • Royal Mail (January 2023): The UK's postal service was crippled for weeks, with international mail delivery severely disrupted
  • Boeing (October 2023): The aerospace giant had data stolen and leaked after refusing to pay
  • ICBC (November 2023): The US branch of the Industrial and Commercial Bank of China was hit, disrupting US Treasury market operations
  • Fulton County, Georgia (January 2024): County government operations were disrupted for weeks

The ICBC attack was particularly noteworthy because it demonstrated LockBit's willingness to target financial infrastructure, and the resulting disruption to Treasury market operations showed how ransomware could have systemic financial implications.

Operation Cronos: The Takedown

In February 2024, an international law enforcement operation called "Operation Cronos" disrupted LockBit's infrastructure. The operation, led by the UK's National Crime Agency with support from the FBI, Europol, and agencies from ten countries:

  • Seized 34 servers across multiple countries
  • Took control of LockBit's leak site
  • Obtained over 1,000 decryption keys
  • Identified and sanctioned Dmitry Khoroshev as the alleged operator behind "LockBitSupp"

Law enforcement used LockBit's own leak site to publish information about the group's operations, including details about affiliates, infrastructure, and the amount of ransom money that actually reached LockBit's operators versus what they claimed publicly.

The takedown revealed that LockBit had not been deleting stolen data after ransoms were paid, as they promised victims. This undermined the fundamental transaction at the heart of ransomware — pay and the problem goes away — and may have long-term implications for ransom payment decisions.

Post-Takedown

LockBit attempted to resume operations within days of the takedown, launching a new leak site and claiming the disruption had minimal impact. However, the operation's credibility was severely damaged:

  • Affiliate trust was undermined by the revelation that stolen data wasn't being deleted
  • The identification of LockBitSupp removed the anonymity that enabled operations
  • Several affiliates migrated to competing operations
  • Post-takedown LockBit claims appeared to include recycled data from previous breaches

How Safeguard.sh Helps

LockBit's industrial-scale operations — thousands of attacks using automated propagation and supply chain access — represent the kind of high-volume, high-speed threat that demands equally automated defense.

Safeguard.sh provides the automated supply chain monitoring that matches the pace of modern ransomware operations. The platform's continuous SBOM analysis and vulnerability tracking ensure that your software supply chain is assessed in real time, not through periodic manual reviews that can't keep up with the volume of attacks LockBit demonstrated.

When a LockBit affiliate exploits a vulnerability in a vendor's remote management tool or a dependency in your software stack, Safeguard.sh's policy engine flags the exposure immediately. The platform's comprehensive dependency mapping means you can assess blast radius in minutes — identifying every system that depends on a compromised component and prioritizing response actions based on actual risk rather than guesswork.

LockBitRansomwareRaaSBug Bounty
Back to all articles

More on #LockBit

View all →
Threat Intelligence

Operation Cronos: How Law Enforcement Dismantled LockBit Ransomware

5 min read
Ransomware

Accenture LockBit Ransomware Attack: When a Security Consultant Gets Hacked

5 min read

Related articles in Ransomware

Ransomware

Fog Ransomware: Why the Education Sector Keeps Getting Hit

Fog ransomware has carved a niche targeting schools and universities, exploiting chronic underfunding and SonicWall VPN vulnerabilities to devastating effect.

January 14, 2025Read
Ransomware

Play Ransomware: Supply Chain Exploitation Through Managed Service Providers

Play ransomware refined the MSP attack model, exploiting FortiOS and RDP vulnerabilities to cascade through managed service providers into hundreds of downstream organizations.

November 15, 2024Read
Ransomware

Medusa Ransomware: How Supply Chain Infiltration Became Their Signature Move

Medusa ransomware operators have refined a playbook that targets managed service providers and software vendors as stepping stones into hundreds of downstream victims.

November 5, 2024Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.